https://live.paloaltonetworks.com/t5/general-topics/new-anti-spyware-signatures-false-positives/m-p/545561#M111553 <P>Hello,</P> <P>&nbsp;</P> <P>The latest application and threat content update this week added a couple of new anti-spyware signatures:</P> <TABLE width="100%"> <TBODY> <TR> <TD> <P>medium</P> </TD> <TD> <P>86759</P> </TD> <TD> <P>AndroxGh0st Scanning Traffic Detection</P> </TD> <TD width="140"> <P>spyware</P> </TD> <TD width="85"> <P>alert</P> </TD> </TR> <TR> <TD> <P>medium</P> </TD> <TD> <P>86760</P> </TD> <TD> <P>AndroxGh0st Scanning Traffic Detection</P> </TD> <TD width="140"> <P>spyware</P> </TD> <TD width="85"> <P>alert</P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>These are being described as&nbsp;<SPAN data-reactid=".0.1.1:$yzSMo.2.0.0.1.0.1.0.b.1:0.0.0.0">python malware exploiting your aws keys traffic, which does not apply to the objects originating the alert in my case<BR /><BR />I'm wondering if this is another case of a new signature from Palo that is not properly tuned again.</SPAN></P> <P>&nbsp;</P> <P><SPAN data-reactid=".0.1.1:$yzSMo.2.0.0.1.0.1.0.b.1:0.0.0.0">Thanks,&nbsp;</SPAN><SPAN data-reactid=".0.1.1:$yzSMo.2.0.0.1.0.1.0.b.1:0.0.0.1">&nbsp;&nbsp;</SPAN></P> Sat, 10 Jun 2023 12:56:19 GMT axemte 2023-06-10T12:56:19Z https://live.paloaltonetworks.com/t5/general-topics/new-anti-spyware-signatures-false-positives/m-p/545561#M111553 <P>Hello,</P> <P>&nbsp;</P> <P>The latest application and threat content update this week added a couple of new anti-spyware signatures:</P> <TABLE width="100%"> <TBODY> <TR> <TD> <P>medium</P> </TD> <TD> <P>86759</P> </TD> <TD> <P>AndroxGh0st Scanning Traffic Detection</P> </TD> <TD width="140"> <P>spyware</P> </TD> <TD width="85"> <P>alert</P> </TD> </TR> <TR> <TD> <P>medium</P> </TD> <TD> <P>86760</P> </TD> <TD> <P>AndroxGh0st Scanning Traffic Detection</P> </TD> <TD width="140"> <P>spyware</P> </TD> <TD width="85"> <P>alert</P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>These are being described as&nbsp;<SPAN data-reactid=".0.1.1:$yzSMo.2.0.0.1.0.1.0.b.1:0.0.0.0">python malware exploiting your aws keys traffic, which does not apply to the objects originating the alert in my case<BR /><BR />I'm wondering if this is another case of a new signature from Palo that is not properly tuned again.</SPAN></P> <P>&nbsp;</P> <P><SPAN data-reactid=".0.1.1:$yzSMo.2.0.0.1.0.1.0.b.1:0.0.0.0">Thanks,&nbsp;</SPAN><SPAN data-reactid=".0.1.1:$yzSMo.2.0.0.1.0.1.0.b.1:0.0.0.1">&nbsp;&nbsp;</SPAN></P> Sat, 10 Jun 2023 12:56:19 GMT https://live.paloaltonetworks.com/t5/general-topics/new-anti-spyware-signatures-false-positives/m-p/545561#M111553 axemte 2023-06-10T12:56:19Z https://live.paloaltonetworks.com/t5/general-topics/new-anti-spyware-signatures-false-positives/m-p/545606#M111559 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/130678">@axemte</a> ,</P> <P>&nbsp;</P> <P>I'd recommend setting up the alert so that you can get the PCAP and have it reviewed by TAC/devteam so they can review and fix it in case of false positive:</P> <P>&nbsp;</P> <P><A href="https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/monitoring/take-packet-captures/take-a-threat-packet-capture" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/monitoring/take-packet-captures/take-a-threat-packet-capture</A></P> <P>&nbsp;</P> <P>Kind regards,</P> <P>-Kim.</P> Mon, 12 Jun 2023 08:12:11 GMT https://live.paloaltonetworks.com/t5/general-topics/new-anti-spyware-signatures-false-positives/m-p/545606#M111559 kiwi 2023-06-12T08:12:11Z